“Oracle Corp said it is preparing an update to address a flaw in its widely used Java software after the U.S. Department of Homeland Security urged computer users to disable the program in web browsers because criminal hackers are exploiting a security bug to attack PCs,” Jim Finkle reports for Reuters. “‘A fix will be available shortly,’ the company said in a statement released late on Friday.”
“The Department of Homeland Security and computer security experts said on Thursday that hackers figured out how to exploit the bug in a version of Java used with Internet browsers to install malicious software on PCs,” Finkel reports. “That has enabled them to commit crimes from identity theft to making an infected computer part of an ad-hoc computer network that can be used to attack websites.”
Finkel reports, “Java is a computer language that enables programmers to write software utilizing just one set of codes that will run on virtually any type of computer, including ones that use Microsoft Corp’s Windows, Apple Inc’s OS X and Linux.”
Read more in the full article here.
Related articles:
Apple blocks OS X Java 7 plug-in as U.S. Department of Homeland Security warns of zero day threat – January 11, 2013
Apple makes OS X even more secure for Mac users by removing Java – October 19, 2012
Apple uninstalls Java applet plug-in from all web browsers – October 17, 2012
New zero-day Java exploit puts 1 billion PCs and Macs running OS X 10.6 or earlier at risk – September 26, 2012
Warning: New Java trojan targets Apple’s OS X along with Windows, Linux – July 11, 2012
Apple releases Java Update to remove Flashback trojan – April 12, 2012
OS X trojan variant preys on Mac users with unpatched Java – February 27, 2012
Jobs: Having Oracle, not Apple, release timely Java updates better for Mac users – October 22, 2010
Apple deprecates its release of Java for Mac OS X – October 21, 2010
Wouldn’t it be nice if Oracle sent a message saying flaw has been fixed update to follow shortly?
Say, in the same way that Apple inc. does? or has Apple inc. set the bar much to high?
Meanwhile, our wallets are at risk of a raping & a pillaging by hackers, those of us who are gullible enough to pepper our personal details & passwords in supposed safe password digital wallets.
The last major zero-day Java security flaw that affected all platforms (CVE-2012-0507) about a year ago, Apple released a Java fix six weeks after Oracle released it for Linux and Windows–long enough for actual Mac malware to be released to exploit it. At that time Apple was solely responsible for releasing Java updates on the Mac.
Apple also rarely issues updates that fix a single issue, which is common practice on Linux and Windows.
That was not the last major zero-day Java security flaw. There were more during the summer. But that was the infamous zero-day that kicked Apple in the ass and inspired them to do what they did this time which was to jump on the problem the day-of the public notice of in-the-wild exploits on the current flaw. That’s ASTOUNDING. There were some delays getting the XProtect.plist file updated everywhere that day, but update it Apple did, with subsequent shutdown of Java entirely until yesterday’s Oracle update to 7u11. (Which is now available BTW).
I also have to applaud Oracle for jumping on the problem as well. Oracle’s laziness allowed this zero-day to exist, as their lameass patch of a previous flaw did NOT actually close that security hole. But at least they too have caught on and fixed the hole once the exploits were announced.
All around, this was a very positive experience. It was by no means perfect. But both Apple and Oracle did their jobs in a timely manner. I like it!
I disabled Java during the last scare and never turned it back on and never missed it. If my life runs smoothly for months without it, I now wonder why I have it.
I also have JavaScript disabled in Safari. I did the uncheck the box thing in Safari > Preferences > Security, but I have to turn it back on every time I want to use Kronos to fill out my Time Card at work. Ridiculous.
Javascript implementations have very little to do with Java, except for the fact that both languages have very similar syntax.
Everybody who runs a website and monitors visitor usage, knows that only web crawlers (search engines) operate without javascript. Disabling javascript is crazy because most web pages (except purely static ones) use javascript. With the advent of CSS, the need for javascript may be somewhat lower, but one can hardly do without.
Over time, javascript has grown from a poorly documented and buggy language to a very powerful and well-standardized tool (notwithstanding MS’s attempt to mess this up). It is even gaining acceptance in non-web environments.
I’m curious if there is a proof of concept website that you can go to to see if your Java is still running or if Apple got to you.
http://javatester.org/enabled.html
Thank you ‘java-naught’!
Actually the best way to find out if Apple has updated your .plist is to navigate to:
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/
And look at the date the Xprotect.plist file was last updated (command-I or “Get Info”). If you see January 11, 2013 or later you are good.
Full disclosure – this info came from Derek Currie’s website http://mac-security.blogspot.com/
Thanks Derek!
Too bad there isn’t an equivalent of ClickToFlash for Java.
Does iOS use Java?
iOS doesn’t use Java.
Not a bit of it!
But it does use green tea I’m told.
Is Java the same as Javascript?
There’s no meaningful relation between the two. The story of how Javascript got its name was that they were riding the coattails of Java, which was getting big in the 90s. This was needed to build mindshare, because the alternative (on Windows) was f’ing Microsoft VBS (VisualBasic Scripting).
Well, that and the fact that JavaScript was originally called ‘Mocha‘. Apparently that made Netscape think they had rights to the word ‘Java’ or something. (0_o)
Anyway, Netscape weren’t happy with their subsequent name ‘LiveScript’, so their marketing dweebs met with Sun’s marketing dweebs and they decided that using the term ‘JavaScript’ was a great idea, which of course it was NOT. Again we have a great illustration of what happens when you put marketing people into leadership roles. Run and hide.
The OFFICIAL name of what we call ‘JavaScript’ is ECMAScript. It incorporates all the original JavaScript calls as well as crap Microsoft dumped on the world called, imaginatively, ‘JScript‘, as well as further crap Adobe dumped on the world called ‘ActionScript’. Put the whole mess together and you get ECMAScript.
http://en.wikipedia.org/wiki/JavaScript
The original JavaScript was supposed to be safe and unable to hack a computer. That dream of faerie land didn’t last long. It has been my fervent wish for over a decade that ‘JavaScript’ be yanked off the Internet and all references to it burned. Then we could start again with something actually secure, for a change. Instead, what we find is that ‘JavaScript’ has become the core of yet further Internet technologies, such as Ajax. Lord help us.:-P
@DC: Thanks for your comments directly above and earlier on the subject of JS. As a flat-out non-technical sort WRT any kind of programming or scripting language, I have to tip my hat to you.
However, since I have bought the occasional web site element that uses JS (I’m thinking of the various “publish your own” photo galleries like JAlbum, but I’ve used others as well), I notice that some common we site creating apps (Quick n Easy Web Builder, perhaps Flux, Sandvox and others as well) use JS within their structures, I’m wondering how to overcome the dangers you warn of (short of discontinuing my sites), or if there’s an alternative out there for non-coders like myself? I’d be interested in knowing.
In case you hadn’t figured it out yet:
Java is the most dangerous software you can run on OS X
It’s even worst than Adobe crap. Just Turn Java OFF.
http://Mac-Security.blogspot.com
Finkel reports, “Java is a computer language that enables programmers to write software utilizing just one set of codes that will run on virtually any type of computer, including ones that use Microsoft Corp’s Windows, Apple Inc’s OS X and Linux.”
Yes, let’s go back to the ones that just infect Windows only please. I enjoy those.
Do we really need Java or Android for that matter?
Oracle released the Java update 11 this evening. I installed it and it works in Safari.